Update dependency RestSharp to v112 [SECURITY] #98
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
108.0.3
->112.0.0
GitHub Vulnerability Alerts
CVE-2024-45302
Summary
The second argument to
RestRequest.AddHeader
(the header value) is vulnerable to CRLF injection. The same applies toRestRequest.AddOrUpdateHeader
andRestClient.AddDefaultHeader
.Details
The way HTTP headers are added to a request is via the
HttpHeaders.TryAddWithoutValidation
method: https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32 This method does not check for CRLF characters in the header value.This means that any headers from a
RestSharp.RequestHeaders
object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.PoC
The below example code creates a console app that takes one command line variable "api key" and then makes a request to some status page with the provided key inserted in the "Authorization" header:
This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):
The application intends to send a single request of the form:
But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:
and
This can be confirmed by checking the access logs on the server where these commands were run (with
insert.some.site.here
pointing to localhost):Impact
If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.
Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation.
Release Notes
restsharp/RestSharp (RestSharp)
v112.0.0
Compare Source
What's Changed
New Contributors
Full Changelog: restsharp/RestSharp@111.4.1...112.0.0
v111.4.1
Compare Source
What's Changed
New Contributors
Full Changelog: restsharp/RestSharp@111.4.0...111.4.1
v111.4.0
Compare Source
What's Changed
New Contributors
Full Changelog: restsharp/RestSharp@111.3.0...111.4.0
v111.3.0
Compare Source
What's Changed
New Contributors
Full Changelog: restsharp/RestSharp@111.2.0...111.3.0
v111.2.0
Compare Source
What's Changed
Execute(request)
without methodFull Changelog: restsharp/RestSharp@111.1.0...111.2.0
v111.1.0
Compare Source
v111.0.0
Compare Source
What's Changed
New Contributors
Full Changelog: restsharp/RestSharp@110.2.0...111.0.0
v110.2.0
Compare Source
What's Changed
Full Changelog: restsharp/RestSharp@110.1.0...110.2.0
v110.1.0
Compare Source
What's Changed
AddJsonBody
overload to serialise top-level string by @alexeyzimarev in https://github.com/restsharp/RestSharp/pull/2043Full Changelog: restsharp/RestSharp@110.0.0...110.1.0
v110.0.0
Compare Source
What's Changed
Breaking change
The
IRestClient
interface signature is different, so any non-standard implementations need to adopt the changes.To keep
DefaultParameters
thread-safe, it got a new typeDefaultParameters
, and request propertyParameters
has a dedicated typeRequestParameter
. Code-wise the change is non-breaking as the signatures are the same, but v110 is not binary compatible with previous versions. The difference is thatDefaultParameters
collection wraps all its mutations in a lock.Full Changelog: restsharp/RestSharp@109.0.1...110.0.0
v109.0.1
Compare Source
What's Changed
HttpClient
. by @tacosontitan in https://github.com/restsharp/RestSharp/pull/2008New Contributors
Full Changelog: restsharp/RestSharp@109.0.0...109.0.1
v109.0.0
What's Changed
JwtAuthenticator
with token includes Bearer prefix by @nivmeshorer in https://github.com/restsharp/RestSharp/pull/1949CsvConfiguration
when reading by @electrokit in https://github.com/restsharp/RestSharp/pull/1965RequestMessage
by @adegwerth in https://github.com/restsharp/RestSharp/pull/1989RestRequestExtension.cs
by @ztl8702 in https://github.com/restsharp/RestSharp/pull/1986IRestClient
interfaceOptions
property is using read-only options class, so it won't be possible to re-assign options that configure HTTP client and message handlerNew Contributors
Full Changelog: restsharp/RestSharp@108.0.3...109.0.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.